“Karma” PEAP-based Access Point
I stumbled upon the FreeRADIUS-WPE patch a while back. I’m a big fan of capturing challenge/response handshakes and trying to crack them, so that someone applied this to wireless was very interesting to me. I played with it for a bit and then decided it needed to be extended to a Karma-style answer any and all probes role. I initially looked at combining an airbase-ng setup with FreeRADIUS-WPE, but that didn’t go anywhere. In the end, I simply hacked hostapd. I’ve also provided the fine John folks a patch for MSCHAPv2 bruting, which you can find in their Jumbo patches. Here ya go:
HostAPd w/ Karma-Style Fun
- Respond to any probe request (-R option)
- Accept and log all PEAP/MSCHAPv2 auth attempts (-A option)
EAP Brute-Force Logon Script
The eaper.py script utilizes the wpa_supplicant daemon to perform (very slow) brute-force logons of LEAP/EAP-PEAP networks. This means that wpa_supplicant should be running prior to executing eaper.py. If the daemon is not auto-started by your operating system, the following should suffice:
% sudo wpa_supplicant -iwlan0 -c ./wpa_supplicant.conf
The following example will test each user listed in “users.txt” with the passwords listed in “pass.txt” and a password matching the respective username.
% ./eaper.py -s some_ssid -U users.txt -P pass.txt -e
The following example will test username/password combinations found in “combo.txt”. The format of the file is username:password.
% ./eaper.py -s some_ssid -c combo.txt
It’s important to note that when wpa_supplicant successfully connects, it generates valid keys for the network. These keys are used on subsequent logon attempts and username/password attempts are not really performed, potentially resulting in false positives. If you want to continue testing after finding a valid credential pair, restart wpa_supplicant.